The state of cyber warfare law

As yet, there is no specific convention or treaty to regulate cyber warfare and seriously address its unique characteristics.

Cyber warfare 370.
(photo credit:Rick Wilking/Reuters)

Cyber warfare is a perplexing problem for nations, for theorists and for
military lawyers. It is hotly debated how existing principles of the law of
armed conflict should apply to the relatively new phenomenon.

Some think
the best solution would be a new international convention on cyber crime and
warfare, but many commentators think this is unlikely to happen.

Last
month, The Jerusalem Post reported that the IDF’s Information Security Branch
had identified an increase in attempts by foreign hostile intelligence entities
to listen in on army communications and gain access to military
computers.

The increased threat includes a major attempt to eavesdrop on
cellphones used by the IDF, as well as hacking attacks directed at army computer
networks.

Sources from the Information Security Branch did not name who
specifically was behind the efforts, but said they expected the stepped-up
threat to continue into 2013.

A few weeks ago, The New York Times cited
US security officials as saying that Iran was behind a string of online attacks
against American banks. The officials said the denial-of-service attacks on the
banks were sophisticated and beyond the scope of amateurs.

All of this
(some have called it “payback”) follows general acknowledgement by the US and
Israel over the last year or so that they have utilized offensive cyber warfare
tactics against adversaries such as Iran.

Now that the US and Israel are
“out of the closet” and are experiencing more aggressive attacks as well, it is
worth revisiting to what extent there are any legal norms regarding the
issue.

Most leading commentators agree that the law of armed conflict
applies, but there is hot debate, based on the unique nature of cyber warfare,
as to whether to apply the law narrowly or broadly.

One school of thought
proposed by leading law of armed conflict expert Prof. Michael Schmitt, among
others, says that cyber warfare and operations are only considered an “attack”
under Protocol I to the Geneva Conventions if physical harm results from the
cyber operation.

Under this concept, it might be that none of the above
examples – sabotage of Iran’s nuclear program or spying and sabotage of US and
Israel’s militaries and US banks – are considered “attacks” under the law of
armed conflict.

Cyber operations might cause significant technological
inconvenience and defacement of websites; they might be considered a form of
psychological pressure and might be prosecutable under domestic criminal law if
a perpetrator could be arrested. But none of those descriptions imply physical
harm under the laws of armed conflict.

Under an alternate school of
thought promoted by Dr. Knut Dormann of the International Red Cross’s legal
division, many of the above incidents could be categorized as
“attacks.”

The alternate concept states that damage, destruction and
death are not minimum result requirements for an “attack.”

Rather, any
operation which targets civilians or civilian objects would qualify as an
“attack,” regardless of the result.

The advantages of the second approach
are that it covers some of the severe nonphysical harm that cyber operations can
cause and addresses concerns that the first approach is too narrow.

On
the other hand, the first approach is often viewed as more realistic in terms of
“state practice” – what states actually do and will even consider limiting
themselves to.

In other words, most states, including the US, Israel and
many others, currently view interference and disruption of broadcasts, websites
and other electronic media, which can also impact civilians, as a crucial part
of psychological operations and gaining the element of surprise over an
adversary.

But all of the above debate is just attempts at applying
general principles of the law of armed conflict that apply to land, sea and air
warfare, land mines, chemical weapons and all forms of warfare to cyber
operations.

The above debate does not delve into creating a specific
convention or treaty to regulate cyber warfare and seriously address its unique
characteristics.

For example, chemical and nuclear weapons, when they
came on the scene in many areas, uprooted all traditional notions of the law of
armed conflict because of their unique characteristics, such as that their use
can eliminate the question of what responses are permitted as they can
potentially eliminate a party and its ability to respond.

Cyber warfare
poses at least as much confusion.

For example, even as intelligence
agencies and states publicize their conclusions about who hit them with a cyber
operation, it could be nearly impossible to prove who perpetrated a cyber
operation to a criminal standard of beyond a reasonable doubt.

Even if it
is possible to pinpoint a country, as Georgia pinpointed Russia for a wave of
attacks in 2008, the state can deny any sanctioned state involvement and claim
(possibly even truthfully) that the operations were initiated by a group of
vigilantes.

Who cares what the law is if a perpetrator can’t be traced?
There have been some limited initial efforts at a cybercrime convention that
would address criminal cyber issues as well as some cyber warfare
issues.

The Council of Europe ratified a Cybercrime Convention in 2001.
But this convention was only ratified by two-thirds of European states (not
including the UK, Poland and many others) and the US.

Separately, Russia,
China and a small number of Asian countries under the Shanghai Cooperation
Organization (SCO) have ratified the International Information Security
Agreement.

The disparity in how the two agreements treat the issues and
the interests of the major nations behind them make it unlikely that there will
be any agreements between East and the West in the near future.

For
example, the SCO agreement lists as major threats the “dominant position in the
information space” of Western nations and the “dissemination of information
harmful to the socio-political systems, spiritual, moral and cultural
environment” of the Asian states.

Many commentators view recent Western
proposals, such as that of past US government terrorism and cyber warfare
experts Richard Clarke and Robert Knake, to regulate attacks on civilians
without banning cyber operations against military targets or for espionage
purposes as dead-on-arrival for nations like China, Iran or North Korea – the
countries Western nations care about regulating the most.

Clarke and
Knake propose a ban on cyber operations against banks. In theory, no country
should oppose such a ban, as every nation would like its own banks to be more
secure.

But that isn’t how the interests appear to line up.

The
US, for example, does not attack banks and loses nothing by promising not
to.

But experts say that China is committed to deploying cyber agents
inside the critical infrastructure of the US and other nations, including banks,
to make up for its relative weakness in military capabilities.

Some
non-democratic nations, like China, also have better security over their banks
than some Western nations do.

In the same vein, Iran or North Korea might
want to maintain the threat of shutting down the US or Israel’s electricity grid
or some other crucial aspect of infrastructure to preserve an asymmetrical
threat and response in the face of US and Israeli superiority in other
areas.

It is also worth noting that many key nations have either not
ratified the Nuclear Non-Proliferation treaty or ratified it, but flout its
provisions openly. One such nation is Iran.

So even as US and Israeli
cyber attacks on Iran and others, and attacks against Israel and other Western
nations, get more aggressive, it is unlikely that a major convention will get
off the ground to regulate the issue.

A separate initiative is for
different militaries’ legal teams to quietly put together some agreed-upon
customary or suggested standards to try to start better regulating cyber
warfare.

In the meantime, until some of the key nations get hit with a
cyber attack that they view as too costly, aggressive competition with some
self-limiting by general principles of the law of armed conflict is probably as
far as international law will go in terms of regulating cyber warfare.